cssrs.exe

The executable cssrs.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘TINTIMG’. While running, it connects to the Internet address sinkhole.fitsec.com on port 80 using the HTTP protocol.
MD5:
2618e1298faf224b488ada3a9c7707c0

SHA-1:
01c97485d52ceec75d0c42ce149280f52b2b5085

SHA-256:
9c98a51516b3810286c121dfa381fd03bbd54e1cd150042b760f3e484ba29604

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/27/2024 7:51:58 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.TINTIMG (M)
17.2.15.19

File size:
610.5 KB (625,168 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\cssrs.exe

File PE Metadata
Compilation timestamp:
12/1/1999 6:14:19 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0x44000

Entry point:
60, E8, 00, 00, 00, 00, 5D, 8B, C5, 81, ED, CE, B2, 01, 20, 2B, 85, 35, BA, 01, 20, 89, 85, 31, BA, 01, 20, B0, 00, 86, 85, 66, BC, 01, 20, 3C, 01, 0F, 85, BC, 01, 00, 00, 83, BD, 61, BB, 01, 20, 00, 74, 33, 83, BD, 65, BB, 01, 20, 00, 74, 2A, 8B, 85, 31, BA, 01, 20, 2B, 85, 61, BB, 01, 20, 8B, 00, 89, 85, 9E, BB, 01, 20, 8B, 85, 31, BA, 01, 20, 2B, 85, 65, BB, 01, 20, 8B, 00, 89, 85, A2, BB, 01, 20, EB, 61, 83, BD, 69, BB, 01, 20, 00, 74, 58, 8B, 85, 31, BA, 01, 20, 2B, 85, 69, BB, 01, 20, FF, 30, 8D, 85...
 
[+]

Entropy:
7.2308

Packer / compiler:
ASPack v1.08.04

Code size:
41 KB (41,984 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
TINTIMG

Command:
C:\users\{user}\appdata\roaming\cssrs.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ekiaiooqqo.c06.mtsvc.net  (205.186.187.148:80)

TCP (HTTP):
Connects to ec2-54-85-149-135.compute-1.amazonaws.com  (54.85.149.135:80)

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.120:80)

TCP (HTTP):
Connects to mail.accu17.denver.wehostwebsites.com  (173.248.137.197:80)

TCP (HTTP):
Connects to sinkhole.fitsec.com  (193.166.255.171:80)

TCP (HTTP):
Connects to ec2-52-204-129-22.compute-1.amazonaws.com  (52.204.129.22:80)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-52-1-32-25.compute-1.amazonaws.com  (52.1.32.25:80)

Remove cssrs.exe - Powered by Reason Core Security